mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-10 06:26:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

portage-stable/metadata: Monthly GLSA metadata updates

Browse Source
This commit is contained in:
Flatcar Buildbot 2024-08-01 07:16:34 +00:00 committed by Dongsu Park
parent 7aa0166ea2
commit e5f61621a8
24 changed files with 1023 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 576950 BLAKE2B 88011af22fa4be4dd32deb6beef67152498dbf9a935f1735cb732a1cff2286ecaac7ff10b0cd4cc26890af67573dfd9f41b1b3d976e69dc012ee35c219644c8d SHA512 c652e80fb194ffb2de3f33c3046f525f887396de843ab0761ad5fa21d9949f6b62a1a16747b833821d7307bc10a7d9679651980cd85f6673c854e9dc8e09f5af
TIMESTAMP 2024-07-01T06:40:32Z
MANIFEST Manifest.files.gz 580125 BLAKE2B 982b6b57cb4d4733e1bbfeb28e0a6a9ff1b1b559ff5cd5932caade1ea3218e0035c9f42e574b5131fdf3387eabb87c7cd6aed2cba373d576048c0a5e79ccec35 SHA512 8cb2188002bd17e3e7ba091831fe199c9ad02d776881b9e2e7325790c2a717534701fddb8aaca82004fd810de6f8b5b2c8146c80435e1d75e4d5c49960506eaf
TIMESTAMP 2024-08-01T06:40:34Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaCT2BfFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmarLeJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klCqxxAAlJUoGJYKzxQA/H3JQnjWSmIGVKL5XLmsWRPghQ9J5hsLgQURe8wGtoIU
9oCNhRJesjAkA5l72Aa+HyEonUAiOqZD8R17ek9ipDLA9VFM9T9yNhk+nwnDu8Yi
nWRjh3GB3OlcZbJDZ0ORE3ze65a8AMHlnWyCCq1QSZYXAqYDhbBz+i0y2hOtsBLP
KiJKyh1uFON30dzDNbvY8taSw5ktaV5x4uuvmh7fmw2PpfoqK838me3YuQq8hVt4
/haj/FoAfT8imrL8f52v01gUxz9EP5gRuzfML4v728TcQjDlmyuk/EuSm0PjFKxn
zto2xmY/6/4AL/VKGOmzw3zpjapWjyiydVsh+l0hec1aZTxdgheh/dN7TfMJgmTV
MUIyeLOX+qMvFph1ZITVNi3iQW5VO9Ho4exzvMgHVthli0Kqjqdx7rC966zHN3Ao
3QuNtof4D+0ChqOyJpfdIrrRQct7M/Jp+2ZSx0T3luZ2mxSvVH+aIBBo/w37i5hM
3612fcZWMDtzUvT0sbhuf9j1o7S7T24V66cs0BxpMC8t2Gh3pF4TL8CDDFH1rrv6
8b9TU/3t/qk1haW42KmYXeUq6wEUWw1Z49wb80JEI6ZlTtm74CEdTYm27eisb+Wq
H7DiQc0WDdZm5i7wVEN/nyVEf04Qv5IhfYS3MDaPDnck2pVaPtc=
=IEvJ
klA/+w//b9GufyRShrKBPRMRF3zwZabqhzFcsN9C70FsaXlrAgQ5l1HqY9CSBkdk
2F1YS3Y0EYR1EI3zAbGpfrVwvp8CE/Mxq5NbIeehhoByIehYyPTu0x1DgpNbnFFo
EokuM5mG+qfF1Tv8qeGBBMkUvzrBRGQLG79z2khcvoYpaYJTON19MqeeFQffo60p
9eebwqSdEaaadCWaO9ncsDVzD/xb/JE9chbqApNAI6Qu+3gAqjxXsc8wLwbx5+GD
IxoiNzkX8d2AaXR0IMcen2bFOyRhSEAa0BrWLYP8aEZdQJkMSGPCL09FxGSFZRmo
hcUGgN8awJ7YMemPhug14V10fMQ/krgYsqknY2GojMJR/lmzYgRwHjAPAZq1uUue
A3v91z/tE6DCQgJBYuay3pytDIsmg1GZMXOUsTYlkvkHSFD6iD8L/agYAlOU+Q+u
6uSYpjINJqe0B49fDvuHF5nvSGUv7yFK4dMvLKOftqKWLegBg+WQIUqjnu8Bi/jJ
aXU7+tffKbgY5AIlpv5STWdbBwJ3/b72JTzeT1FQpurzgHnZZ2mr0dyektsiW9KI
sXNfB/MuGwtz7Rf8a5pxB0yf4EtTO94NATW2Nka5bWSmj01ZPDB+WlDGU3RakEqz
V5FeH7TW7oOg1WN0ewrTUCh+75N5P+nHFpa1PW1iGBek7RGPcak=
=y/aO
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-09.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-09">
<title>OpenSSH: Remote Code Execution</title>
<synopsis>A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges.</synopsis>
<product type="ebuild">openssh</product>
<announced>2024-07-01</announced>
<revised count="1">2024-07-01</revised>
<bug>935271</bug>
<access>remote</access>
<affected>
<package name="net-misc/openssh" auto="yes" arch="*">
<unaffected range="ge">9.7_p1-r6</unaffected>
<vulnerable range="lt">9.7_p1-r6</vulnerable>
</package>
</affected>
<background>
<p>OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality.</p>
</background>
<description>
<p>A vulnerability has been discovered in OpenSSH. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions that may allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit Linux/glibc
systems with ASLR. Under lab conditions, the attack requires on
average 6-8 hours of continuous connections up to the maximum the
server will accept. Exploitation on 64-bit systems is believed to be
possible but has not been demonstrated at this time. It&#39;s likely that
these attacks will be improved upon.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.
Note that Gentoo has backported the fix to the following versions:
net-misc/openssh-9.6_p1-r5
net-misc/openssh-9.7_p1-r6</p>
</workaround>
<resolution>
<p>All OpenSSH users should upgrade to the latest version and restart the sshd server (to ensure access for new sessions and no vulnerable code keeps running).</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/openssh-9.7_p1-r6"
</code>
<p>With OpenRC:</p>
<code>
# rc-service sshd restart
</code>
<p>With systemd:</p>
<code>
# systemctl try-restart sshd.service
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6387">CVE-2024-6387</uri>
</references>
<metadata tag="requester" timestamp="2024-07-01T18:03:48.914047Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-01T18:03:48.917560Z">graaff</metadata>
</glsa>

41
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-10.xml vendored Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-10">
<title>Sofia-SIP: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Sofia-SIP, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">sofia-sip</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>891791</bug>
<access>remote</access>
<affected>
<package name="net-libs/sofia-sip" auto="yes" arch="*">
<vulnerable range="lt">1.13.16</vulnerable>
</package>
</affected>
<background>
<p>Sofia-SIP is an RFC3261 compliant SIP User-Agent library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Multiple vulnerabilities have been discovered in Sofia-SIP. Please review the CVE identifiers referenced below for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for the Sofia-SIP package. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "net-libs/sofia-sip"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22741">CVE-2023-22741</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32307">CVE-2023-32307</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T06:01:03.002442Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T06:01:03.007447Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-11.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-11">
<title>PuTTY: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in PuTTY, the worst of which could lead to compromised keys.</synopsis>
<product type="ebuild">putty</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>920304</bug>
<bug>930082</bug>
<access>remote</access>
<affected>
<package name="net-misc/putty" auto="yes" arch="*">
<unaffected range="ge">0.81</unaffected>
<vulnerable range="lt">0.81</vulnerable>
</package>
</affected>
<background>
<p>PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PuTTY. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PuTTY users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/putty-0.81"
</code>
<p>In addition, any keys generated with PuTTY versions 0.68 to 0.80 should be considered breached and should be regenerated.</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-48795">CVE-2023-48795</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-31497">CVE-2024-31497</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T06:43:24.794955Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T06:43:24.797373Z">graaff</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-12.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-12">
<title>podman: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation.</synopsis>
<product type="ebuild">podman</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>829896</bug>
<bug>870931</bug>
<bug>896372</bug>
<bug>921290</bug>
<bug>923751</bug>
<bug>927500</bug>
<bug>927501</bug>
<access>local</access>
<affected>
<package name="app-containers/podman" auto="yes" arch="*">
<unaffected range="ge">4.9.4</unaffected>
<vulnerable range="lt">4.9.4</vulnerable>
</package>
</affected>
<background>
<p>Podman is a tool for managing OCI containers and pods with a Docker-compatible CLI.</p>
</background>
<description>
<p>Please review the referenced CVE identifiers for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Podman users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-containers/podman-4.9.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4024">CVE-2021-4024</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2989">CVE-2022-2989</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0778">CVE-2023-0778</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-48795">CVE-2023-48795</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1753">CVE-2024-1753</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24786">CVE-2024-24786</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T07:05:25.139225Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T07:05:25.142869Z">graaff</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-13.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-13">
<title>WebKitGTK+: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>923851</bug>
<bug>930116</bug>
<access>local and remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge" slot="4">2.44.0</unaffected>
<unaffected range="ge" slot="4.1">2.44.0</unaffected>
<unaffected range="ge" slot="6">2.44.0</unaffected>
<vulnerable range="lt" slot="4">2.44.0</vulnerable>
<vulnerable range="lt" slot="4.1">2.44.0</vulnerable>
<vulnerable range="lt" slot="6">2.44.0</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebKitGTK+ users should upgrade to the latest version (depending on the installed slots):</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4"
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4.1"
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:6"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1745">CVE-2014-1745</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40414">CVE-2023-40414</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42833">CVE-2023-42833</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42843">CVE-2023-42843</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42950">CVE-2023-42950</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42956">CVE-2023-42956</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23206">CVE-2024-23206</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23213">CVE-2024-23213</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23222">CVE-2024-23222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23252">CVE-2024-23252</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23254">CVE-2024-23254</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23263">CVE-2024-23263</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23280">CVE-2024-23280</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23284">CVE-2024-23284</uri>
<uri link="https://webkitgtk.org/security/WSA-2024-0001.html">WSA-2024-0001</uri>
<uri link="https://webkitgtk.org/security/WSA-2024-0002.html">WSA-2024-0002</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T07:33:55.537227Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T07:33:55.540478Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-14.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-14">
<title>TigerVNC: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in TigerVNC, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">tigervnc</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>700464</bug>
<access>remote</access>
<affected>
<package name="net-misc/tigervnc" auto="yes" arch="*">
<unaffected range="ge">1.12.0-r2</unaffected>
<vulnerable range="lt">1.12.0-r2</vulnerable>
</package>
</affected>
<background>
<p>TigerVNC is a high-performance VNC server/client.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in TigerVNC. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All TigerVNC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/tigervnc-1.12.0-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15691">CVE-2019-15691</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15692">CVE-2019-15692</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15694">CVE-2019-15694</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15695">CVE-2019-15695</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-26117">CVE-2020-26117</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T08:04:14.901340Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T08:04:14.904899Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-15.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-15">
<title>GraphicsMagick: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in GraphicsMagick, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">graphicsmagick</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>888545</bug>
<bug>890851</bug>
<access>local</access>
<affected>
<package name="media-gfx/graphicsmagick" auto="yes" arch="*">
<unaffected range="ge">1.3.40</unaffected>
<vulnerable range="lt">1.3.40</vulnerable>
</package>
</affected>
<background>
<p>GraphicsMagick is a collection of tools and libraries which support reading, writing, and manipulating images in many major formats.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GraphicsMagick. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GraphicsMagick users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.3.40"
</code>
</resolution>
<references>
</references>
<metadata tag="requester" timestamp="2024-07-05T08:23:55.078128Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T08:23:55.084776Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-16.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-16">
<title>GNU Coreutils: Buffer Overflow Vulnerability</title>
<synopsis>A vulnerability has been discovered in Coreutils, which can lead to a heap buffer overflow and possibly aribitrary code execution.</synopsis>
<product type="ebuild">coreutils</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>922474</bug>
<access>local</access>
<affected>
<package name="sys-apps/coreutils" auto="yes" arch="*">
<unaffected range="ge">9.4-r1</unaffected>
<vulnerable range="lt">9.4-r1</vulnerable>
</package>
</affected>
<background>
<p>The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system.</p>
</background>
<description>
<p>A vulnerability has been discovered in the Coreutils &#34;split&#34; program that can lead to a heap buffer overflow and possibly arbitrary code execution.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Coreutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/coreutils-9.4-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0684">CVE-2024-0684</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T09:26:36.559921Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T09:26:36.562608Z">graaff</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-17.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-17">
<title>BusyBox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">busybox</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>824222</bug>
<access>local</access>
<affected>
<package name="sys-apps/busybox" auto="yes" arch="*">
<unaffected range="ge">1.34.0</unaffected>
<vulnerable range="lt">1.34.0</vulnerable>
</package>
</affected>
<background>
<p>BusyBox is set of tools for embedded systems and is a replacement for GNU Coreutils.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All BusyBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.34.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42373">CVE-2021-42373</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42374">CVE-2021-42374</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42375">CVE-2021-42375</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42376">CVE-2021-42376</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42377">CVE-2021-42377</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42378">CVE-2021-42378</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42379">CVE-2021-42379</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42380">CVE-2021-42380</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42381">CVE-2021-42381</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42382">CVE-2021-42382</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42383">CVE-2021-42383</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42384">CVE-2021-42384</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42385">CVE-2021-42385</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42386">CVE-2021-42386</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T09:49:36.081859Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T09:49:36.086656Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-18.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-18">
<title>Stellarium: Arbitrary File Write</title>
<synopsis>A vulnerability has been discovered in Stellarium, which can lead to arbitrary file writes.</synopsis>
<product type="ebuild">stellarium</product>
<announced>2024-07-05</announced>
<revised count="1">2024-07-05</revised>
<bug>905300</bug>
<access>local and remote</access>
<affected>
<package name="sci-astronomy/stellarium" auto="yes" arch="*">
<unaffected range="ge">23.1</unaffected>
<vulnerable range="lt">23.1</vulnerable>
</package>
</affected>
<background>
<p>Stellarium is a free open source planetarium for your computer. It shows a realistic sky in 3D, just like what you see with the naked eye, binoculars or a telescope.</p>
</background>
<description>
<p>A vulnerability has been discovered in Stellarium. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>Attackers can write to files that are typically unintended, such as ones with absolute pathnames or .. directory traversal.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Stellarium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-astronomy/stellarium-23.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28371">CVE-2023-28371</uri>
</references>
<metadata tag="requester" timestamp="2024-07-05T17:31:39.463505Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-05T17:31:39.467808Z">graaff</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-19.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-19">
<title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">thunderbird,thunderbird-bin</product>
<announced>2024-07-06</announced>
<revised count="1">2024-07-06</revised>
<bug>932375</bug>
<access>remote</access>
<affected>
<package name="mail-client/thunderbird" auto="yes" arch="*">
<unaffected range="ge">115.11.0</unaffected>
<vulnerable range="lt">115.11.0</vulnerable>
</package>
<package name="mail-client/thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">115.11.0</unaffected>
<vulnerable range="lt">115.11.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0"
</code>
<p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2609">CVE-2024-2609</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3302">CVE-2024-3302</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3854">CVE-2024-3854</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3857">CVE-2024-3857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3859">CVE-2024-3859</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3861">CVE-2024-3861</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3864">CVE-2024-3864</uri>
</references>
<metadata tag="requester" timestamp="2024-07-06T06:14:39.955147Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-06T06:14:39.959045Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-20.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-20">
<title>KDE Plasma Workspaces: Privilege Escalation</title>
<synopsis>A vulnerability has been discovered in KDE Plasma Workspaces, which can lead to privilege escalation.</synopsis>
<product type="ebuild">plasma-workspace</product>
<announced>2024-07-06</announced>
<revised count="1">2024-07-06</revised>
<bug>933342</bug>
<access>remote</access>
<affected>
<package name="kde-plasma/plasma-workspace" auto="yes" arch="*">
<unaffected range="ge">5.27.11.1</unaffected>
<vulnerable range="lt">5.27.11.1</vulnerable>
</package>
</affected>
<background>
<p>KDE Plasma workspace is a widget based desktop environment designed to be fast and efficient.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in KDE Plasma Workspaces. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>KSmserver, KDE&#39;s XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.
A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All KDE Plasma Workspaces users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36041">CVE-2024-36041</uri>
</references>
<metadata tag="requester" timestamp="2024-07-06T06:45:04.101679Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-06T06:45:04.105556Z">graaff</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-21.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-21">
<title>X.Org X11 library: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service.</synopsis>
<product type="ebuild">libX11</product>
<announced>2024-07-06</announced>
<revised count="1">2024-07-06</revised>
<bug>877461</bug>
<bug>908549</bug>
<bug>915129</bug>
<access>remote</access>
<affected>
<package name="x11-libs/libX11" auto="yes" arch="*">
<unaffected range="ge">1.8.7</unaffected>
<vulnerable range="lt">1.8.7</vulnerable>
</package>
</affected>
<background>
<p>X.Org is an implementation of the X Window System. The X.Org X11 library provides the X11 protocol library files.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in X.Org X11 library. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All X.Org X11 library users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.8.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3554">CVE-2022-3554</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3555">CVE-2022-3555</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3138">CVE-2023-3138</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43785">CVE-2023-43785</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43786">CVE-2023-43786</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43787">CVE-2023-43787</uri>
</references>
<metadata tag="requester" timestamp="2024-07-06T06:46:25.255732Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-06T06:46:25.259127Z">graaff</metadata>
</glsa>

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-22.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-22">
<title>Mozilla Firefox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could arbitrary code execution.</synopsis>
<product type="ebuild">firefox,firefox-bin</product>
<announced>2024-07-06</announced>
<revised count="1">2024-07-06</revised>
<bug>927559</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">124.0.1</unaffected>
<unaffected range="ge" slot="esr">115.9.1</unaffected>
<vulnerable range="lt" slot="rapid">124.0.1</vulnerable>
<vulnerable range="lt" slot="esr">115.9.1</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">124.0.1</unaffected>
<unaffected range="ge" slot="esr">115.9.1</unaffected>
<vulnerable range="lt" slot="rapid">124.0.1</vulnerable>
<vulnerable range="lt" slot="esr">115.9.1</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-124.0.1"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-124.0.1:rapid"
</code>
<p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.9.1:esr"
</code>
<p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.9.1:esr"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29943">CVE-2024-29943</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29944">CVE-2024-29944</uri>
</references>
<metadata tag="requester" timestamp="2024-07-06T07:11:46.269314Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-06T07:11:46.272380Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-23.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-23">
<title>LIVE555 Media Server: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in LIVE555 Media Server, the worst of which could lead to a denial of service.</synopsis>
<product type="ebuild">live</product>
<announced>2024-07-09</announced>
<revised count="1">2024-07-09</revised>
<bug>732598</bug>
<bug>807622</bug>
<access>local and remote</access>
<affected>
<package name="media-plugins/live" auto="yes" arch="*">
<unaffected range="ge">2021.08.24</unaffected>
<vulnerable range="lt">2021.08.24</vulnerable>
</package>
</affected>
<background>
<p>LIVE555 Media Server is a set of libraries for multimedia streaming.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in LIVE555 Media Server. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All LIVE555 Media Server users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-plugins/live-2021.08.24"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-24027">CVE-2020-24027</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38380">CVE-2021-38380</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38381">CVE-2021-38381</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38382">CVE-2021-38382</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39282">CVE-2021-39282</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39283">CVE-2021-39283</uri>
</references>
<metadata tag="requester" timestamp="2024-07-09T13:09:03.649511Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-09T13:09:03.653871Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-24.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-24">
<title>HarfBuzz: Denial of Service</title>
<synopsis>A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service.</synopsis>
<product type="ebuild">harfbuzz</product>
<announced>2024-07-10</announced>
<revised count="1">2024-07-10</revised>
<bug>905310</bug>
<access>local</access>
<affected>
<package name="media-libs/harfbuzz" auto="yes" arch="*">
<unaffected range="ge">7.1.0</unaffected>
<vulnerable range="lt">7.1.0</vulnerable>
</package>
</affected>
<background>
<p>HarfBuzz is an OpenType text shaping engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All HarfBuzz users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22006">CVE-2023-22006</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22036">CVE-2023-22036</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22041">CVE-2023-22041</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22044">CVE-2023-22044</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22045">CVE-2023-22045</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22049">CVE-2023-22049</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-25193">CVE-2023-25193</uri>
</references>
<metadata tag="requester" timestamp="2024-07-10T06:11:01.173024Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-10T06:11:01.176040Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-25.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-25">
<title>Buildah: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation.</synopsis>
<product type="ebuild">buildah</product>
<announced>2024-07-10</announced>
<revised count="1">2024-07-10</revised>
<bug>923650</bug>
<bug>927499</bug>
<bug>927502</bug>
<access>local</access>
<affected>
<package name="app-containers/buildah" auto="yes" arch="*">
<unaffected range="ge">1.35.3</unaffected>
<vulnerable range="lt">1.35.3</vulnerable>
</package>
</affected>
<background>
<p>Buildah is a tool that facilitates building Open Container Initiative (OCI) container images</p>
</background>
<description>
<p>Please review the referenced CVE identifiers for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Buildah users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-containers/buildah-1.35.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1753">CVE-2024-1753</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24786">CVE-2024-24786</uri>
</references>
<metadata tag="requester" timestamp="2024-07-10T06:35:05.025996Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-10T06:35:05.030840Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-26.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-26">
<title>Dmidecode: Privilege Escalation</title>
<synopsis>A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation.</synopsis>
<product type="ebuild">dmidecode</product>
<announced>2024-07-24</announced>
<revised count="1">2024-07-24</revised>
<bug>905093</bug>
<access>local</access>
<affected>
<package name="sys-apps/dmidecode" auto="yes" arch="*">
<unaffected range="ge">3.5</unaffected>
<vulnerable range="lt">3.5</vulnerable>
</package>
</affected>
<background>
<p>Dmidecode reports information about your system&#39;s hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output). This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB).</p>
</background>
<description>
<p>Dmidecode -dump-bin can overwrite a local file. This has security relevance because, for example, execution of Dmidecode via sudo is plausible.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifier for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Dmidecode users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-30630">CVE-2023-30630</uri>
</references>
<metadata tag="requester" timestamp="2024-07-24T06:06:10.030561Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-24T06:06:10.033680Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-27.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-27">
<title>ExifTool: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">exiftool</product>
<announced>2024-07-24</announced>
<revised count="1">2024-07-24</revised>
<bug>785667</bug>
<bug>791397</bug>
<bug>803317</bug>
<bug>832033</bug>
<access>local</access>
<affected>
<package name="media-libs/exiftool" auto="yes" arch="*">
<unaffected range="ge">12.42</unaffected>
<vulnerable range="lt">12.42</vulnerable>
</package>
</affected>
<background>
<p>ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ExifTool. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ExifTool users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22204">CVE-2021-22204</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23935">CVE-2022-23935</uri>
</references>
<metadata tag="requester" timestamp="2024-07-24T06:08:31.681636Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-24T06:08:31.685111Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202407-28.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202407-28">
<title>Freenet: Deanonymization Vulnerability</title>
<synopsis>A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding.</synopsis>
<product type="ebuild">freenet</product>
<announced>2024-07-24</announced>
<revised count="1">2024-07-24</revised>
<bug>904441</bug>
<access>remote</access>
<affected>
<package name="net-p2p/freenet" auto="yes" arch="*">
<unaffected range="ge">0.7.5_p1497</unaffected>
<vulnerable range="lt">0.7.5_p1497</vulnerable>
</package>
</affected>
<background>
<p>Freenet is an encrypted network without censorship.</p>
</background>
<description>
<p>This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.</p>
</description>
<impact type="normal">
<p>This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Freenet users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/freenet-0.7.5_p1497"
</code>
</resolution>
<references>
</references>
<metadata tag="requester" timestamp="2024-07-24T06:10:44.345056Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-07-24T06:10:44.351516Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 01 Jul 2024 06:40:29 +0000
Thu, 01 Aug 2024 06:40:30 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
7c19ce25facd6aa54d2b0f9a8fecd6020509009e 1719814176 2024-07-01T06:09:36Z
13a66c5def0d04b908b4e9faf4975aebf3c111a0 1721801457 2024-07-24T06:10:57Z